For now, this article is just a checklist. I have a bunch of documentations on my side to configure for each topic. But if you want to start from now, here are the ressources:
- Use Microsoft Microsoft Secure Score
- Use Microsoft Identity Protection (Azure AD Premium P2 needed)
- Create beak glass emergency admin account
- Use least privileged
- Configure password hash synchronization (PHS) or pass-through authentication (PTA) or use Federation
- Take advantage of Password Protection to protect cloud and on-premises (Active Directory) password
- Configure Seamless SSO
- Enable Modern authentication (and block basic authentication)
- Use Multi Factor Authentication with Microosft Authenticator or other software token without license. Hardware token need Azure AD Premium license. More info about license here
- Go PasswordLess (currently in preview and only works from computer browser. Not support neither Android/iOS or PowerShell. Not publicly available for Windows authentication on hybrid join computers)
- Configure company branding and teach users to not trust page without the custom logo/background. BUT be careful about the upcoming changes in the background
- Block application registration by end-user (https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/UserSettings)
- Block Users can consent to apps accessing company data on their behalf
- Enable admin consent to give end users a way to request access to applications
- Restrict access to Azure AD administration portal (https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/UserSettings )
- Manage guests settings (manage external collaboration settings)
- Enable Self Service password
- Enable Conditionnal access
- Configure SaaS enterprise application with Single Sign-On and SCIM provisioning(if possible). Even if the application is NOT on the gallery, you can set up Single Sign-On with SAMLor password based (add-on in browser needed)
- Check Azure AD related applications with this script and this one (and delete application not needed)
- Configure on-premise application with Azure AD Proxy (Azure AD Premium needed for each user who access the app) or use see previous point if application has SAML
- Audit risky logins weekly (needed Azure AD Premium).
Clap
Comments